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new case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
O) Yes 

©) No 

© Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


There is not enough advice on how to process certain kinds of information (ie. information sent on instant 
messenger like WhatsApp). Further detail is required of what happens should the ICO investigate - this 
would help organisations structure their information collection and storage in a way that could reduce 
workloads later. greater information on how much an individual can contact a organisation about a SAR 
while it is being processed and what the obligation of the organisation is to respond continuously or just 
once as part of the release of the data. 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 

©) No 

© Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


The guidance on exemptions is better than it was. Previously it discussed exemptions too casually when 
the reality was that they could only be applied in strict circumstances . Greater detail on what support is 
available when a SAR request comes in would be helpful - particularly for small charities and businesses 
with limited capacity. 


Q3 


Does the draft guidance contain enough examples? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


Better guidance and examples of what is 'reasonable' when not providing information or using an 
exemption is needed. The accountability principle is a good one but small organisations with limited 


experienec and resource are carrying substanial risks in applying exemptions etc without a proper idea of 
what way an ICO judgement woudl fall. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 
range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


One charity we advised had an employee submit a request for all the information 
that pertained to a grievance process they were involved in. We considered the 
request to be border-line excessive but not enough to reject it. The kind of data that 
was requested was very process heavy - I am not confident in advising clients that 
the definition of 'excessive' includes the costs of staff time processing and collecting 
information which exists but is not normally held toegther - rather than just the 
amount of information. 


Q5 


Q6 


Q7 


On a scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-—Slightly | Moderately 4-Very 5-Extremely 
useful useful useful useful useful 


Why have you given this score? 


it helpfully lays out the issues that an organisation may face when managing a SAR 
process however it does not always then answer the question or address the issue. 
Saying 'you may consider doing X or you may judge it to be Y' isn't enough, you 
should provide guidance which stipulate what conditions an organisation would do x 
or y, e.g. if the information has a,b or c characteristic you should consider doing Y. 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Greater attention needs to be given by the ICO about how a SAR can be used to 
border-line harass small organisations. While all organisations must comply with the 
law, the potential impact of a large SAR on small charities and businesses can be all 
consuming. Small organisation's limited capacity also means they carry greater risk 
of poor compliance. The ease of submitting a SAR vs the time, stress and risk of 


trying to comply creates a power dynamic between small organisations and those 
who have border line malicious intentions. 


Q9 Are you answering as: 


C) An individual acting in a private capacity (eg someone providing their views as a member of the public) 
(`) An individual acting in a professional capacity 

© On behalf of an organisation 

€ ) Other 

Please specify the name of your organisation: 


What sector are you from: 
Charity Sector 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(|) ICO Facebook account 
©) ICO LinkedIn account 
© ICO website 
©) ICO newsletter 
C) ICO staff member 
C) Colleague 
©) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
O Other 
If other please specify: 


